6 Business Continuity Planning Disaster Recovery Planning
6 Business Continuity Planning Disaster Recovery Planning
6 Business Continuity Planning Disaster Recovery Planning
LEARNING OBJECTIVES:
To develop business continuity plan
6.0
Introduction
Business continuity focuses on maintaining the operations of an organisation,
especially the IT infrastructure in face of a threat that has materialised.
Disaster recovery, on the other hand, arises mostly when business continuity
plan fails to maintain operations and there is a service disruption. This plan
focuses on restarting the operation using a prioritised resumption list.
6.1
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
These resource sets can be broken down into the following components:
information, technology, telecommunication, process, people, and facilities.
Objectives and Goals of Business Continuity Planning
The primary objective of a business continuity plan is to minimize loss by
minimizing the cost associated with disruptions and enable an organisation to
survive a disaster and to re-establish normal business operations.
The key objectives of the contingency plan should be to:
(i) Provide for the safety and well-being of people on the premises at the
time of disaster;
(ii) Continue critical business operations;
(iii) Minimise the duration of a serious disruption to operations and
resources (both information processing and other resources);
(iv) Minimise immediate damage and losses;
(v) Establish management succession and emergency powers;
(vi) Facilitate effective co-ordination of recovery tasks;
(vii) Reduce the complexity of the recovery effort;
(viii) Identify critical lines of business and supporting functions;
6.2
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
(v) Plan Development : The objective of this phase is to determine the available
options and formulation of appropriate alternative operating strategies to
provide timely recovery for all critical processes and their dependencies.
The recovery strategies may be two-tiered:
Business - Logistics, accounting, human resources, etc.
Technical - Information Technology (e.g. desktop, client-server,
midrange, mainframe computers, data and voice networks)
In this phase, recovery plans components are defined and plans are
documented. IT also includes the implementation of changes to user
procedures, upgrading of existing data processing operating procedures
required to support selected recovery strategies and alternatives,
vendor contract negotiations (with suppliers of recovery services) and
the definition of recovery teams, their roles and responsibilities. In the
event of a disaster, it is survival and not business as usual.
(vi) Testing the Plan : The Testing/Exercising program is developed during
this phase. Testing/Exercising goals are established and alternative
testing strategies are evaluated. Unless the plan is tested on a regular
basis, there is no assurance that in the event the plan is activated, the
organisation will survive a disaster.
The objectives of performing BCP tests are to ensure that:
The recovery procedures are complete and workable.
The competence of personnel in their performance of recovery
procedures can be evaluated.
The resources such as business processes, IS systems, personnel, facilities
and data are obtainable and operational to perform recovery processes.
The manual recovery procedures and IT backup system/s are
current and can either be
operational or restored.
The success or failure of the business continuity training program is
monitored.
225
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
TYPES OF PLANS
There are various kinds of plans that need to be designed. They include the following:
(i)
226
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
(ii)
(iii)
(iv)
(v)
(vi)
(vii)
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
6.4
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
Hostile software e.g. virus, worm, Trojan horses, etc.- Establishment of policies
regarding sharing and external software usage, updated anti-virus software
with detection, identification and removal tools, use of diskless PCs and
workstations, installation of intrusion detection tools and network filter tools
such as firewalls, use of checksums, cryptographic checksums and error
detection tools for sensitive data, installation of change detection tools,
protection with permissions required for the write function.
Disgruntled employees : Control measures to include installation of physical
and logical access controls, logging and notification of unsuccessful logins, use
of a disconnect feature on multiple unsuccessful logins, protection of modem
and network devices, installation of one time use only passwords, security
awareness programs and training of employees, application of motivation
theories, job enrichment and job rotation.
Hackers and computer crimes Control measures to include installation of
firewall and intrusion detection systems, change of passwords frequently,
installation of one time use passwords, discontinuance of use of installed and
vendor installed passwords, use of encryption techniques while storage and
transmission of data, use of digital signatures, security of modem lines with
dial back modems, use of message authentication code mechanisms,
installation of programs that control change procedures, and prevent
unauthorised changes to programs, installation of logging features and audit
trails for sensitive information.
Terrorism and industrial espionage : Control measures to include usage of traffic
padding and flooding techniques to confuse intruders, use of encryption during
program and data storage, use of network configuration controls, implementation
of security labels on sensitive files, usage of real-time user identification to detect
masquerading, installation of intrusion detection programs.
Single Points of Failure Analysis :
The objective is to identify any single point of failure within the organisations
infrastructure, in particular the information technology infrastructure.
Single points of failure have increased significantly due to the continued
growth in the complexity in the organisations IS environment.
One common area of risk from single point of failure is the telecommunication
infrastructure.
Because of its transparency, this potential risk is often overlooked.
To ensure single point failures are identified within the organisations at
the earliest possible stage.
230
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
Full Backup : A full backup captures all files on the disk or within the
folder selected for backup. With a full backup system, every backup
generation contains every file in the backup set. However, the amount of
time and space such a backup takes prevents it from being a realistic
proposition for backing up a large amount of data.
231
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
(ii) Hot site : If fast recovery is critical, an organisation might need hot site
backup. All hardware and operations facilities will be available at the hot
site. In some cases, software, data and supplies might also be stored
there. A hot site is expensive to maintain. They are usually shared with
other organisations that have hot-site needs.
(iii) Warm site : A warm site provides an intermediate level of backup. It has
all cold-site facilities plus hardware that might be difficult to obtain or
install. For example, a warm site might contain selected peripheral
equipment plus a small mainframe with sufficient power to handle
critical applications in the short run.
(iv) Reciprocal agreement : Two or more organisations might agree to
provide backup facilities to each other in the event of one suffering a
disaster. This backup option is relatively cheap, but each participant
must maintain sufficient capacity to operate anothers critical system.
232
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
(2)
(3)
(4)
(5)
(6)
the facilities and services the site provider agrees to make available, and
(7)
BACK-UP REDUNDANCY
Multiple Backup Media : For data of high importance it is absolutely
unacceptable to have a situation of data loss. Therefore, single point of
failure such as failed backup disk that destroys the entire backup history
should be eliminated.
Off-Site Backup : off-Site backup is done to keep at least one copy of your
redundant backups in an alternative location. In case the size of the
backup is considerably big (>10GB), cost of high-speed link, security
issues, and backup time will rule out the idea of backing up through highspeed links. A practical solution would be to take a backup into a
removable backup disk, which will be shuttled out of your site into a
secure location.
Where to Keep the Backups : If removable-media backups are kept next
to the computer, a fire or other disaster will probably destroy both. A
secure off-site location is best. Consider keeping one backup disk in the
office and the other one or two off-site.
Media - Rotation Tactics : Once in a while, rotate the active backup
media with one of the offsite stored media. This will update the offsite
media with the latest data changes. To reduce data loss in case of a major
disaster, it is recommended to daily switch the active backup media with
one of the stored.
233
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
(ii) DVD Disks : DVD (also known as "Digital Versatile Disc" or "Digital
Video Disc") is a popular optical disc storage media format. Its main uses
are video and data storage. Most DVDs are of the same dimensions as
compact discs (CDs) but store more than six times as much data.
(iii) Tape Drives : Tape drives are the most common backup media around
due to their low cost. The average capacity of a tape drive is 4 to 10 GB.
The drawbacks are that they are relatively slow when compared with
other media, and can tend to be unreliable.
(iv) Disk Drives : Disk drives are very fast compared to tape drives. The disk
drive rotates at a very fast pace and has one or more heads that read and
write data.
(v) Removable Disks : Using a removable disk such as a ZIP/JAZ drive is
becoming increasingly popular for the backup of single systems. They
are quite fast, not that expensive and easy to install and carry around.
(vi) DAT (Digital Audio Tape) drives : DAT drives are similar to a standard
tape drive but they have a larger capacity. They are fast becoming
popular and are slowly replacing the tape drive. The tapes come in DLT
(Digital Linear Tape), SDLT (Super Digital Linear Tape), LTO (Linear
Tape Open) and AIT (Advanced Intelligent Tape) format, offering up to
260GB of compressed data. The image below shows a typical HP DAT
drive.
(vii) Optical Jukeboxes : Optical Jukeboxes use magnetic optical disks rather
than tapes to offer a high capacity backup solution. They are ranging
from 5 to 20 terabytes. A jukebox is a tower that automatically loads
internally stored disks when needed for backup and recovery just add
a certain amount of CDs or DVDs when you first set it up, maintenance is
relatively low.
234
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
(v)
6.8
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
INSURANCE
The purpose of insurance is to spread the economic cost and the risk of loss
from an individual or business to a large number of people. This is
accomplished through the use of an insurance policy. Policies are contracts
that obligate the insurer to indemnify the policyholder or some third party
from specific risks in return for the payment of a premium.
Adequate insurance coverage is a key consideration when developing a
business recovery plan and performing a risk analysis.
Policies usually can be obtained to cover the following resources:
Equipment : Covers repair or acquisition of hardware. It varies
depending on whether the equipment is purchased or leased.
Facilities : Covers items such as reconstruction of a computer room,
raised floors, special furniture.
Storage media : Covers the replacement of the storage media plus their
contents data files, programs, documentation.
Business interruption : Covers loss in business income because an
organisation is unable to trade.
Extra expenses : Covers additional costs incurred because an
organisation is not operating from its normal facilities.
Valuable papers : Covers source documents, pre-printed reports, and
records documentation, and other valuable papers.
Accounts receivable : Covers cash-flow problems that arise because an
organisation cannot collect its accounts receivable promptly.
Media transportation : Covers damage to media in transit.
Malpractice, errors: Covers claims against an organisation by its
customers, and omission e.g., claims and omission made by the clients of
an outsourcing vendor or service bureau.
237
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
Kinds of Insurance :
Insurance is generally divided into two general classes first-party and third-party
insurance. First-party insurance identifies claims by the policyholder against their
own insurance. Third-party insurance is designed to protect against claims made
against the policyholder and his insurer for wrongs committed by the policyholder.
(a) First-party Insurances - Property Damages :
It is designed to protect the insured against the loss or destruction of property.
It is offered by the majority of all insurance firms in the world and
uses time-tested forms, the industry term for a standard insurance
contract accepted industry-wide.
This form often defines loss as physical injury to or destruction of
tangible property or the loss of use of tangible property which has
not been physically injured or destroyed. Such policies are also
known as all risks, defined risk, or casualty insurance.
(b) First-party Insurances - Business Interruption : If an insured company fails
to perform its contractual duties, it may be liable to its customers for breach of
contract. One potential cause for the inability to deliver might be the loss of
information system, data or communications. Some in business and the
insurance industry have attempted to mitigate this by including information
technology in business recovery/disaster plans.
(c) Third-party Insurance General Liability : Third party insurance is
designed to protect the insured from claims of wrongs committed upon
others. It is in parts based on the legal theory of torts.
Torts are civil wrongs which generally fit into three categories
intentional, negligent and strict liability.
Intentional torts are generally excluded from liability insurance
policies because they are foreseeable and avoidable by the insured.
Strict liability torts, such as product liability issues, are generally
covered under specialised liability insurance.
(d) Third-party Insurance - Directors and Officers : Errors and
Omissions (E&O) insurance is protection from liability arising from a
failure to meet the appropriate standard of care for a given profession.
Two common forms of E & O insurance are directors and officers, and
professional liability. Directors and officers insurance is designed to
protect officers of companies, as individuals, from liability arising from
any wrongful acts committed in the course of their duties as officers.
These policies usually are written to compensate the officers company
for any losses payable by the company for the acts of its officers.
238
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
6.10
239
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
Setting objectives:
Test objectives should include:
Recovery of systems at the standby site, and establishment of an
environment to enable full accommodation of the nominated
applications.
A fully documented set of procedures to obtain and utilise offsite
tapes to restore the system and critical applications to the agreed
recovery point, as set out in the recovery plan.
Recovery of system/application/network/database data from the
offsite/backup tapes.
Detailed documentation on how to restore the production data as
stipulated in the recovery plan, to the agreed recovery point.
Fully documented procedures for establishing communication lines/
equipment to enable full availability and usage by appropriate areas
e.g. business units, data entry, users, etc.
Established communication lines/equipment as set out in the plan.
Examination of the designated alternative sites and confirmation of
all components are also noted in the plan.
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
Team objectives
(ii)
Scenario of disaster
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
6.11
6.12
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
(ii)
(iii)
(iv)
(v)
(vi)
(vii)
(viii)
(ix)
(x)
(xi)
(xii)
(xiii)
(xiv)
Determine if the plan is dated each time that it is revised so that the
most current version will be used if needed.
(xv)
(xvi)
244
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
i)
Have key employees seen the plan and are all employees aware that
there is such a plan?
ii)
iii)
iv)
v)
(xx)
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
(xxi)
(xxii)
(xxiii)
(xxiv)
(xxv)
Information Technology
Determine if the plan reflects the current IT environment.
Determine if the plan includes prioritisation of critical applications
and systems.
Determine if the plan includes time requirements for
recovery/availability of each critical system, and that they are reasonable.
Does the disaster recovery/ business resumption plan include
arrangements for emergency telecommunications?
Is there a plan for alternate means of data transmission if the
computer network is interrupted?
Has the security of alternate methods been considered?
Determine if a testing schedule exists and is adequate (at least
annually). Verify the date of the last test. Determine if weaknesses
identified in the last tests were corrected.
Administrative Procedures
Does the disaster recovery/ business resumption plan cover
administrative and management aspects in addition to operations?
Is there a management plan to maintain operations if the building is
severely damaged or if access to the building is denied or limited for
an extended period of time?
Is there a designated emergency operations center where incident
management teams can coordinate response and recovery?
Determine if the disaster recovery/ business resumption plan
covers procedures for disaster declaration, general shutdown and
migration of operations to the backup facility.
Have essential records been identified? Do we have a duplicate set of
essential records stored in a secure location?
To facilitate retrieval, are essential records separated from those that
will not be needed immediately?
Does the disaster recovery/ business resumption plan include the names
and numbers of suppliers of essential equipment and other material?
Does the disaster recovery/ business resumption plan include
provisions for the approval to expend funds that were not budgeted
for the period? Recovery may be costly.
Has executive management assigned the necessary resources for plan
development, concurred with the selection of essential activities and priority
for recovery, agreed to back-up arrangements and the costs involved, and are
prepared to authorise activation of the plan should the need arise.
246
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER
RECOVERY PLANNING
2.
3.
4.
5.
6.
7.
8.
As a system auditor, what control measures will you check to minimize threats,
risks and exposures in a computerized system?
9.
10.
11.
12.
13.
14.
15.
16.
Describe the various disaster recovery testing? Describe the testing procedure?
17.
What are the audit tools and techniques used by a system auditor to ensure that
disaster recovery plan is in order? Briefly explain them.
18.
247
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER RECOVERY PLANNING
248
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER RECOVERY PLANNING
DEVELOPING A BUSINESS
CONTINUITY PLAN:
Providing an understanding of the
efforts required to develop and
maintain a recovery plan to the
management
Obtaining commitment from
management
Defining recovery requirements
from the perspective of business
functions
Documenting the impact of an
extended loss to operations and key
business functions
Focusing appropriately on disaster
prevention and impact
minimization
Selecting business continuity teams
Developing a business continuity
plan
Defining integration into ongoing
business planning and system
development processes
TYPES OF PLANS:
(Boys Entered the Room)
Back-up Plan
Emergency Plan
Recovery Plan
249
PRIME VISION / C.A. FINAL / ISCA / BUSINESS CONTINUITY PLANNING & DISASTER RECOVERY PLANNING
BACK-UP REDUNDANCY:
(Where is MOM)
Where to Keep the Backups
Multiple Backup Media
Off-Site Backup
Media Rotation Tactics
---****--250